Scammers are using a network of fake apps to steal funds from crypto newbies
Attackers are even targeting victims via dating sites
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Security researchers have identified a “stash” of more than 150 faketrading, banking andcryptocurrencyapps designed to steal victims’ funds.
According to Sophos, the fraudulent iOS and Android apps all utilize a common server, suggesting a single cybercriminal group is responsible. This assumption is supported by commonalities in the design of the applications, as well as communications with the fake customer support team.
The attackers are said to have utilized various social engineering techniques to encourage people to install the malicious apps, even going as far as to build relationships with potential victims over dating services.
In one instance, the scam operators created a fake version of the App Store download page, in a bid to trick people into thinking the application originated from a trusted source.
Fake crypto apps
When the app download is triggered, the victim is served with what looks like a standard mobile application, often mimicking the branding of a popular financial service.
However, the icon is merely a shortcut that links to a fake landing page, where users are encouraged to enter financial credentials or trigger a cryptocurrency transaction, under the guise of topping up their account balance.
According to Sophos, if the victim later attempts to withdraw funds or close out their account, the operators simply block access.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
To shield against attacks of this kind, Sophos says there are a few simple steps that all mobile users should take.
“To avoid falling prey to such malicious apps, users should only install apps from trusted sources such asGoogle PlayandApple’s app store. Developers of popular apps often have a website, which directs users to the genuine app and, if they have the skills to do so, users should verify if the app they are about to install was created by its actual developer,” said Jagadeesh Chandraiah, Senior Threat Researcher at Sophos.
“Last, but not least, if something seems risky or too good to be true – such as high returns on investment or someone from a dating site asking you to transfer money or cryptocurrency assets into some ‘great’ account – then sadly it probably is.”
Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He’s responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.
Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics
This new phishing strategy utilizes GitHub comments to distribute malware
Arcane season 2 finally gave us the huge Caitlyn and Vi moment we’ve been waiting for – and its creators say ‘we couldn’t have done it in season one’
